Here we look at why organisations need to have an effective employee offboarding procedure in place and suggest a checklist for you that could form the basis of this procedure.

Why? 

Members of organisations inevitably change over time for various reasons, perhaps to relocate to another job and move away, or they may be asked to leave, or for many other reasons. However, when employees or contractors/third parties leave a business and there is no effective ‘offboarding’ plan or system in place, they are likely to still have access to your organisation’s systems and data through old passwords and access-rights. Like it or not, this makes them a potential threat to your business.

Creating an effective offboarding plan and process that can be actioned (immediately) as the employee leaves, therefore, can protect you and your clients, maintain the security plus help ensure safe continuity of the business, whilst help to fulfill legal and stakeholder responsibilities.

Such a plan and process can start with a simple checklist, although you may find it ends up being longer than you first thought. With this in mind, we take a close-up look at employee offboarding and provide a summary offboarding checklist that you may want to use to help with your own offboarding process.

What Kind of Threats? 

Examples of the kinds of potential threats that an organisation may need to guard against upon employee exit include:

– Damage, theft, and disruption. Departing employees can cause significant harm by stealing data, attacking company systems, or disrupting network operations due to lack of proper security measures.

– Insider threat. Ex-employees with active access rights can leak sensitive information, engage in industrial espionage, extort the company, or steal customer data. Insider threats account for a significant portion of data breaches.

– Data exfiltration. Departing employees might take sensitive information like client lists or intellectual property with them (intentionally or unintentionally), leading to competitive disadvantages and legal issues.

– Social engineering. Ex-employees may manipulate current employees using their insider knowledge to gain unauthorised access, often through phishing attacks.

– Sabotage. Disgruntled former employees might delete important files, corrupt data, or disrupt services, causing operational and financial damage.

– Legal and compliance risks. Failing to revoke access can lead to breaches of data protection regulations, resulting in legal penalties and reputational damage.

– Continuity of business operations. Inadequate access control can disrupt business processes, especially if the ex-employee held key roles or knowledge, leading to operational bottlenecks.

– Financial fraud. Ex-employees with access to financial systems may commit fraud, manipulate accounts, or process unauthorised transactions, impacting the company financially.

– Loss of customer trust. Compromised customer data due to inadequate offboarding can erode trust, damage the company’s reputation, and lead to business losses and legal actions.

How Big Is The Problem? 

A 2023 PasswordManager.com (US) survey found that 47 per cent of 1,000 workers admitted to still using their employers’ passwords even after leaving the company, with 58 per cent of them saying this was because the passwords had not changed since they left the company. Interestingly, 44 per cent said someone still working for the company shared it with them!

Also, a UK government Cyber Security Breaches Survey 2022 revealed that while many UK businesses are aware of the risks, implementation of robust off-boarding procedures remains inconsistent. For example, only 36 per cent of businesses had formal cyber-security policies, and even fewer medium-sized enterprises reviewed these policies regularly.

Examples 

Some high-profile examples of organisations who have suffered data breaches at the hands of ex-employees include:

– In 2023, Tesla reported that a significant data breach had been caused by two former employees who leaked personal information of over 75,000 individuals, including employee records and other sensitive data.

– Also in 2023, a former RAC employee was found guilty of stealing personal data of road traffic accident victims. The ex-employee had accessed and photographed sensitive data, which he later attempted to sell.

– Back in 2016, broadcasting watchdog Ofcom suffered a large data breach when a former employee downloaded around six years’ worth of third-party data before leaving for a new job at a major broadcaster. The data was then offered to the new broadcaster who informed Ofcom.

Legal Responsibility

The examples above highlight one important reason for closing any potential holes in security during an employee exit which is the legal responsibility under current data laws. The United Kingdom General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018 (an updated version of the DPA 1998) are the primary legislative frameworks governing how businesses or organisations in the UK should manage the protection and handling of data. Within these frameworks, the data controller (i.e. your company or organisation) holds the responsibility for data matters.

Protecting this data is crucial not only to safeguard the individuals whose data the company holds but also to protect the company itself from legal penalties, reputational damage, and other consequences. In addition to personal data, businesses must ensure the protection of other sensitive data such as financial records, intellectual property, and details about company security controls.

Procedure 

These threats and responsibilities demonstrate that businesses and organisations need to address them as part of due diligence. This can be done by developing a built-in company procedure when an employee leaves (offboarding).

The Checklist 

This company procedure could be built around a checklist / a kind of security audit that covers all the main areas from which leaving employees need to have their access revoked and which plugs any potential loopholes. The checklist could include, for example:

1. Notification and Planning 

– Inform the IT security team and relevant departments about the employee’s departure, especially if the departure is contentious.

– Plan the off-boarding process and assign responsibilities.

2. Email and Communication Management 

Emails are a window into company communications and operations and a place where sensitive data is exchanged and stored. It is also a common ‘vector’ for cyber-criminals. Therefore, Revoke access to company email accounts.

– Set up auto-forwarding and out-of-office replies with new contact details.

– Revoke access to other email programs and mass mailing services (e.g. Mailchimp).

3. Access to Systems and Networks

Revoke login details and permissions for company computer systems and networks.

– Disable VPN and remote access accounts.

4. Customer Relationship Management (CRM) Systems

– Revoke login access to CRMs containing customer and stakeholder data.

5. Collaborative Working Apps and Platforms

– Remove access to cloud-based platforms and collaboration tools (e.g. Teams, Slack).

– Ensure that the employee cannot access shared working groups.

6. Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) 

– Deactivate any 2FA or MFA devices or apps used by the employee.

7. Privileged Accounts 

– Revoke access to any privileged accounts, including admin rights and root access on servers and databases.

8. Physical Security Measures

– Retrieve all company-related keys, pass cards, ID cards, parking passes, and similar items.

– Update physical security systems like alarm codes and biometric access.

9. Return of Company Assets 

– Ensure the return of all company devices, including laptops, phones, and tablets.

– Keep a record of which devices were allocated to the employee.

10. Data and Document Access 

– Retrieve any backup/storage media (e.g. USBs).

– Transfer or delete any items stored in separate folders on the employee’s computer.

– Conduct a thorough audit of the employee’s digital footprint within document management systems.

11. Password Management 

– Change any passwords shared with multiple members of staff.

– Implement a regular password-changing policy as a fail-safe measure.

12. Financial Security 

– Change PINs for company credit/debit cards authorised for the employee’s use.

13. Social Media and Online Presence 

– Remove the employee’s email address and extension from the company website.

– Update company social media to reflect the departure.

– Ensure the ex-employee is not featured in the business’s online estate.

14. Legal and Compliance

– Ensure the off-boarding process complies with legal and regulatory requirements.

– Remind the departing employee of their obligations under non-disclosure agreements (NDAs) and data protection laws during the exit interview.

15. Monitoring and Follow-Up 

– Implement monitoring to detect any unusual activity associated with the former employee’s accounts.

– Regularly review and update access review processes to adapt to organisational changes.

16. Customer and Client Notification 

– Notify clients and customers of the change and provide new contact details to ensure continuity.

17. Physical Document Retrieval 

– Retrieve any physical documents (e.g. handbooks) that could contain sensitive information.

By following a comprehensive checklist like this one, you can effectively manage the security aspects of employee off-boarding, ensuring that all potential loopholes are addressed, and that the company’s data and resources remain secure.

BYOD Threat? 

Where companies offer ‘Bring Your Own Device’ (BYOD) meaning that employees can bring in their personally owned laptops, tablets, and smartphones to work and use them to access company information, this could pose an additional level of threat during employee exit.

This threat may be lessened where companies opt for different types of BYOD such as corporately owned/managed, personally enabled (COPE), choose your own device (CYOD), personally owned and partially enterprise managed or personally owned with managed container application.

In any case, BYOD should always be accompanied by clear policies and guidance as part of effective management.

Ex-Employee’s Legal Responsibilities 

It should be remembered that, although the business / organisation has legal responsibilities to protect company data, the ex-employee is also subject to the law for their behaviour. This is of particular importance where an employee, who has dealt with the personal details of others in the course of their work, leaves or retires. For example, the ICO prosecuted a charity worker who, without the knowledge of the data controller (Rochdale Connections Trust), sent emails from his former work email account (2017) containing sensitive personal information of 183 people. Also, a former Council schools admission department apprentice was found guilty of screen-shotting a spreadsheet that contained information about children and eligibility for free school meals and then sending it to a parent via Snapchat.

What Does This Mean For Your Business? 

An effective offboarding procedure is essential to ensure that when employees or contractors leave an organisation, they pose a significantly reduced security risk. Without a proper system in place, departing employees may retain access to sensitive systems and data, which can lead to significant security breaches. This not only endangers the privacy and integrity of company and client information but also exposes the organisation to potential legal liabilities and reputational damage.

Implementing a comprehensive offboarding checklist is really a matter of due diligence and helps to systematically address all potential vulnerabilities. Such a checklist ensures that all necessary steps are taken to revoke access to company emails, systems, and networks, and to retrieve company assets. By meticulously following these steps, businesses can prevent former employees from inadvertently or maliciously accessing confidential information.

A well-structured, regularly updated checklist, therefore, facilitates clear communication among various departments involved in the offboarding process, ensuring that no critical task is overlooked. This organised approach can help maintain the continuity and security of business operations, safeguard the company from potential threats and ensure compliance with data protection regulations. A detailed offboarding procedure is a crucial element of any organisation’s overall security strategy, protecting both the company and its stakeholders.

Here we take a look at cyber security, why you may decide you need it, how much it costs, and where to get it.

What Is Cyber Insurance? 

Cyber insurance is a type of insurance policy designed to protect businesses and individuals from internet-based risks, and more generally from risks relating to IT infrastructure and activities. It provides coverage for financial losses that result from cyber incidents such as data breaches, network damage, and cyber extortion. For example, businesses may face costs resulting from data/security breaches, media content liability (e.g. intellectual property infringement), GDPR defence costs or paying GDPR fines, credit/debit card breaches, data breach response services, data breach notification, legal fees, system repairs, and more.

Why Would Your Business Need Cyber Insurance? 

Just as we need to ensure our most valuable and valued physical-world possessions are protected (e.g. our homes and cars), we now live in a digital age where people and businesses now rely heavily on technology and online platforms to operate efficiently. However, this dependence makes businesses vulnerable to a range of cyber-threats, including data-breaches, ransomware attacks, and hacking incidents. Even a single cyber-attack can result in substantial financial losses, legal liabilities, and reputational damage. Cyber insurance, therefore, provides a safety net, so that businesses can recover financially and operationally from these incidents. By covering costs such as data-breach notification, legal fees, and system repairs, cyber insurance helps mitigate the financial burden of cyber-attacks.

Risk Management Too 

Cyber insurance can also play a crucial role in risk management. For example, it encourages businesses to assess their cyber vulnerabilities and implement robust security measures.

Insurers often require policyholders to adhere to specific security protocols, which enhances overall cybersecurity standards. This proactive approach not only reduces the likelihood of an attack but also ensures businesses are better prepared to respond effectively if one occurs. Therefore, having cyber insurance is not just about financial protection, but it’s also about fostering a culture of cybersecurity within the organisation.

Not Forgetting Regulatory Compliance 

In addition to financial and security benefits, cyber insurance is essential for regulatory compliance. Many industries are subject to strict data protection regulations, such as the General Data Protection Regulation (GDPR) in Europe and non-compliance can, of course, result in hefty fines and legal consequences.

Cyber insurance policies, therefore, often include support for regulatory compliance, helping businesses navigate complex legal requirements and avoid penalties. By providing resources for legal counsel and regulatory guidance, cyber insurance ensures that businesses can meet their obligations and maintain trust with customers and stakeholders.

What Kind Of Things Does It Cover?

As mentioned above, broadly speaking, cyber insurance aims to provide financial cover for things like data breaches, network damage, and cyber extortion. Cyber insurance for UK businesses actually provides comprehensive coverage for various cyber-related incidents. Here are some examples of what it typically covers:

Data Breach Response 

– Notification Costs: Covering the expenses of notifying customers and affected individuals after a data breach.

– Credit Monitoring Services: Providing credit monitoring to those whose personal information has been compromised.

Business Interruption 

– Loss of Income: Reimbursement for lost revenue due to a cyber-attack that disrupts normal business operations.

– Extra Expenses: Covering additional costs incurred to keep the business running while dealing with the cyber incident.

Cyber Extortion 

– Ransom Payments: Payments made to cybercriminals to regain access to data or systems.

– Negotiation Costs: Expenses related to negotiating with extortionists and managing ransom demands.

Legal Fees and Defence Costs 

– Third-Party Claims: Legal expenses arising from lawsuits due to a data breach or security failure.

– Regulatory Fines and Penalties: Coverage for fines and penalties imposed by regulators for data protection breaches, such as those related to GDPR.

Crisis Management 

– Public Relations: Costs associated with managing and repairing the company’s reputation after a cyber incident.

– Forensic Investigation: Expenses for investigating the cause and extent of the cyber-attack.

Network Security Liability

– Liability Claims: Coverage for claims arising from failure to protect data, resulting in data theft or corruption.

– Defence Costs: Legal defence costs for claims related to network security breaches.

Media Liability

– Defamation and Infringement: Coverage for claims of libel, slander, copyright infringement, or defamation resulting from digital content.

Technology and Data Recovery 

– Data Restoration: Costs of restoring and recovering lost or corrupted data.

– System Repair: Expenses for repairing or replacing damaged hardware and software

You may be thinking after looking at this list that there are many more costs than you may have thought associated with dealing with the results of a data breach, cyber-attack, or serious and disruptive network issue. These costs, plus the high levels of ever-more sophisticated cyber-crime, may be the arguments behind many businesses now having cyber insurance.

What Proportion of Businesses Now Have Cyber Insurance? 

Considering the large potential costs of dealing with a serious cyber / network incident (as shown above) it may be a surprise to know that the proportion of businesses with cyber insurance in the UK is still relatively modest. For example, the latest data shows that only 43 per cent (UK Home Office 2024) of UK businesses have a cyber insurance policy in place and within this group, a small fraction, around 5 per cent (Insurance Business UK), have specialised cyber insurance policies tailored to their specific needs. Most companies rely on broader policies that include some form of cyber risk coverage as part of their overall insurance package.

This may be particularly surprising given that according to the Cyber Security Breaches Survey 2024 by the Department for Science, Innovation and Technology (DSIT):

– 32 per cent of businesses and 24 per cent of charities experienced a cyber security breach or attack in the past 12 months.

– Among larger businesses, the figures are higher, with 45 per cent of medium businesses and 58 per cent of large businesses have reported cyber-crimes.

– The average short-term direct cost for businesses dealing with a cyber incident was £1,650, which increases to £6,490 for medium and large companies.

– Long-term direct costs, which include expenses incurred after the initial breach, averaged £782 for all businesses but reached £6,010 for larger firms.

Who Provides It? 

Several examples of the well-known insurers in the UK market that offer cyber security insurance include:

– AXA provides comprehensive cyber insurance that covers a range of cyber risks, including data breaches, business interruption, and cyber extortion.

– Aviva offers cyber insurance policies that can be tailored to businesses of all sizes. Their coverage includes protection against data breaches, cyber extortion, and business interruption caused by cyber incidents, and there is access to a 24/7 cyber incident helpline and expert support.

– Hiscox provides coverage which includes costs associated with data breaches, cyber extortion, and third-party liability, and it offers risk management tools and resources to help businesses improve their cyber security posture.

– Zurich’s offers cyber insurance policies covering a wide range of cyber risks, including data breaches, network security failures, and cyber extortion. Zurich also provides access to a global network of cyber experts and offers pre-breach services to help businesses mitigate their cyber risks.

There are, of course, many other companies that offer cyber insurance. For example, even Amazon now offers it with AWS Cyber Insurance Competency Partners, and through a partnership with Superscript is offering cyber insurance to small and medium-sized businesses in the UK. For example, Amazon Business Prime users can access it product by logging in to Superscript using their Amazon account.

How Much Does It Cost?

Obviously, the price of cyber insurance varies according to factors like the size of the business, the level of coverage, and the industry. However, as a very general guide:

– Small businesses in the UK may expect to pay around £115 per month for cyber insurance / £1,380 annually (Insureon), which can fluctuate depending on the specific risks associated with the business and the amount of sensitive data handled.

– Medium-sized businesses may see premiums ranging from £1,500 to £5,000 per year, with the variation being due to the higher risk and more significant potential losses associated with larger volumes of data and more complex IT systems.

– For large businesses, cyber insurance costs can range from £10,000 to £50,000 annually and can include higher coverage limits and broader protection against various cyber threats (reflecting the greater complexity and risk involved).

What Does This Mean For Your Business? 

The rising tide of cyber threats highlights the urgent necessity for businesses to not just strengthen their cyber security measures, but also to consider adopting comprehensive cyber insurance policies. Cyber-attacks are not only becoming more frequent but also increasingly sophisticated, posing severe risks to financial stability and operational continuity. For businesses, this means that traditional security measures alone may no longer be sufficient. Cyber insurance provides a critical safety net, offering financial protection against the costs associated with data breaches, business interruptions, and other cyber incidents.

Investing in cyber insurance can significantly mitigate the financial and operational impacts of cyber-attacks. Policies typically cover a range of expenses, from data breach notifications and legal fees to system repairs and business interruption losses. This ensures that businesses can recover more swiftly and maintain their operations with minimal disruption. Also, cyber insurance often includes access to expert support and resources, helping businesses to manage incidents more effectively and reduce the risk of recurrence.

In addition to financial protection, it’s important to remember that cyber insurance also plays a crucial role in regulatory compliance. For example, many industries are subject to stringent data protection regulations, such as the GDPR in Europe, and non-compliance can result in hefty fines and legal consequences. Cyber insurance policies frequently offer support for navigating these complex legal requirements, helping businesses to avoid penalties and maintain trust with customers and stakeholders.

For businesses evaluating their need for cyber insurance, it’s important to consider the broader benefits. Beyond immediate financial coverage, having a cyber insurance policy can drive improvements in overall cyber security practice. For example, insurers often require policyholders to implement robust security protocols, fostering a culture of proactive risk management within the organisation. This not only reduces the likelihood of successful cyber-attacks but also ensures that businesses are better prepared to respond effectively when incidents do occur.

Given the substantial costs associated with cyber incidents, the investment in cyber insurance becomes a strategic decision. Whether you are a small business, medium-sized or a large corporation, the protection and peace of mind offered by cyber insurance can be invaluable.

The evolving landscape of cyber threats, therefore, appears to necessitate a multifaceted approach to cyber security and you may decide, for all the reasons mentioned above, that cyber insurance should be a cornerstone of this strategy for your business.

Although cyber security insurance may be all very well for after the event, keeping your software and drivers up to date is crucial for helping to prevent security issues in the first place, and for maintaining the security and performance of your Windows device. Updates often include security patches that protect against newly discovered vulnerabilities. Here’s how to make sure your security is up to date:

Go to Settings > Update & Security > Windows Update.

Click ‘Check for updates’ to see if there are any new updates available.

Install any available updates to ensure your system is protected.

Additionally, check for updates for your installed applications and hardware drivers through their respective software or the manufacturer’s website.

The new AI-powered Windows ‘Recall’ feature that takes 5-second screenshots to generate a searchable timeline of everything a user has interacted with has prompted security and privacy concerns.

What Is Recall? 

The Recall feature for Windows (currently in preview status) is a new feature that’s exclusive to Microsoft’s forthcoming Copilot+ PCs. Recall takes snapshots of whatever is on your screen every five seconds (e.g. emails, and photos), while content on the screen is different from the previous snapshot. These snapshots are then stored (encrypted) and analysed using optical character recognition (OCR), which uses AI, locally on the user’s PC. The collection of snapshots is designed to give users not only a timeline of everything they’ve done and seen, but they can use voice commands to search through it for what they need, e.g. for any content (text and images) they may have been working on or seen. Microsoft says the functionality will be improved “over time” to enable users to open the actual source document, website, or email in a screenshot.

When Recall opens the snapshot a user has requested, it enables ‘screenray’.  This runs at the top of the snapshot and allows the user to interact with any of the elements in the snapshot, so for instance, the user can copy text from the snapshot or send pictures from the snapshot (to an app that supports jpeg files).

Won’t It Just Fill Up The PC’s Storage Space With Snapshots? 

With different screen snapshots (captured every-five-seconds having to be stored locally on the PC) you may be wondering what this will do to the storage space. Microsoft says the minimum hard drive space needed to run Recall is 256 GB (whereby 50 GB of space must be available) and that the default allocation for Recall on a device with 256 GB will be 25 GB, which can store approximately 3 months of snapshots. Users can increase the storage allocation for Recall in the PC Settings and old snapshots are deleted when the allocated storage is used, allowing new ones to be stored.

Why Use Recall?

According to Yusuf Mehdi, Microsoft’s executive vice president and consumer chief marketing officer, with Recall, Microsoft “set out to solve one of the most frustrating problems we encounter daily — finding something we know we have seen before on our PC”. 

Broadly speaking therefore, Recall is essentially a productivity and user experience-enhancing feature. Microsoft hopes that Recall will transform how users interact with their digital content by providing powerful, AI-driven tools for retrieving and managing past activities while maintaining a high level of control and (hopefully) privacy too.

Privacy Concerns 

While on the face of it, it’s possible to see how useful this feature could be, Recall has set privacy alarm bells ringing for some users. For example, it’s been reported that the Information Commissioner’s Office (ICO) is contacting Microsoft for more information on the safety of the product and that Recall has been described as a “privacy nightmare” by some privacy watchdogs. Examples of some of the key concerns about the potential privacy issues of Recall include:

– Since the feature doesn’t moderate what it records, very sensitive information including snapshots of passwords, financial account numbers, medical or legal information (and more) could be accessed and taken, presenting an obvious risk. Microsoft says: “Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”

– With gaining initial access to a device being one of the easier elements of an attack, this is all that would be needed to potentially access the screenshots and steal sensitive information or business trade secrets.

– Anyone who knows a user’s password could access that user’s history in more detail.

– Recall is currently at the preview stage, but unless Microsoft assesses the data protection, and peoples’ rights and freedoms before the feature is released to the wider market, there may be some serious legal issues and consequences.

Elon Musk also posted about the feature on his X platform saying: “This is a Black Mirror episode. Definitely turning this ‘feature‘ off.” 

What Does Microsoft Say? 

In defence of Recall and to allay the privacy concerns expressed, Microsoft points out that:

– Recall is not enabled by default – it is an opt-in feature. Users must manually activate it to use it and can configure its settings to control what data it captures and stores.

– Microsoft says it built privacy into Recall’s design “from the ground up”.

– By clicking on the Recall taskbar icon after user’s first activate their Copilot+ device, they can choose what snapshots Recall collects and stores on their device. For example, users can select specific apps or websites visited in a supported browser to filter out of snapshots, snapshots on demand from the Recall icon in the system tray, clear some or all snapshots that have been stored, or delete all the snapshots from the device.

– Microsoft says: “For enterprise customers, IT administrators can disable automatically saving snapshots using group policy or mobile device management policy. If a policy is used to disable saving snapshots, all saved snapshots from users’ devices will be deleted, and device users can’t enable saving snapshots.” 

– The snapshots captured by Microsoft’s Recall feature are stored locally on the PC but are encrypted and protected using BitLocker encryption.

– Recall data is only stored locally and isn’t accessed by Microsoft or anyone who does not have device access.

What Does This Mean For Your Business? 

It’s possible to see the value of the Recall feature (in the forthcoming Copilot+ PCs) in terms of offering UK businesses a potential boost in productivity and efficiency. Being able to search by voice and quickly find (and eventually click through to) anything you’ve been looking at could make it much faster and easier to retrieve and manage digital content. This could, of course, save valuable time and reduce frustration, leading to more streamlined workflows and increased operational efficiency.

However, the elephant in the room with this feature which has piqued the attention of many commentators and the ICO is the significant risk to privacy that it could seemingly pose to businesses and individual users. For example, the unmoderated collection of everything (which could include sensitive information such as passwords, financial data, and confidential business details), raises substantial security and privacy risks. For example, if these snapshots were to be accessed and fall into the wrong hands, the consequences could be severe, including data breaches and the exposure of proprietary information. It appears, therefore, that the only thing standing between a potential bad actor and your personal/sensitive/business information is knowledge of the password for the PC.

Microsoft’s assertion that Recall is an opt-in feature, with snapshots stored locally and protected by BitLocker encryption, may, however, provide some reassurance, as may the fact that users can control what data is captured and stored, plus enterprise customers can disable automatic snapshot saving through group policy or mobile device management. Nevertheless, despite these measures, the potential for misuse remains, especially if a device is compromised or accessed by an unauthorised individual.

To address these privacy concerns, Microsoft will need to provide comprehensive transparency and robust security assurances to the ICO, businesses, and privacy advocates too. Demonstrating that Recall complies with data protection regulations and adequately safeguards user data will be crucial. Clearly, even though Recall is still just at the preview stage, there are serious concerns, and failure to address these could result in significant backlash, legal challenges, and a loss of trust among users.

If / when Recall is thought to be suitable for wider release for businesses, the decision to implement it will require a careful evaluation of the trade-offs between increased productivity and potential privacy risks. Companies will need to establish clear policies and provide training to ensure that employees understand how to use the feature securely. IT departments will also need to remain vigilant, continually monitoring and managing the feature’s settings to maintain data protection standards.

While Recall offers exciting possibilities for enhancing business efficiency, its success will depend on Microsoft’s ability to address privacy concerns and provide robust security measures, so it remains to be seen how Recall progresses though this preview stage and whether risks can be mitigated to an acceptable level.

In this insight, we look at the implications of Microsoft’s announcement that the Windows 11 24H2 update is being tested in a pre-release stage and the deprecation of VBScript is being initiated by making it an optional feature.

What Did Microsoft Say? 

Microsoft has announced that it is making this year’s annual feature update Windows 11, version 24H2 (Build 26100.712) available in the Release Preview Channel for customers to preview ahead of general availability later this year.

Microsoft says that Windows 11, version 24H2 includes a range of new features like “the HDR background support, energy saver, Sudo for Windows, Rust in the Windows kernel, support for Wi-Fi 7, voice clarity” and more.

Improvements Across Windows 

The update also includes many improvements across Windows, such as:

– A scrollable view of the quick settings flyout from the taskbar.

– The ability to create 7-zip and TAR archives in File Explorer (in addition to ZIP). 7-Zip is a free, open-source file archiver that compresses files into various archive formats, notably its own 7z format, and TAR (Tape Archive) – a widely used format for combining multiple files into a single archive file (typically without compression).

– Improvements for connecting Bluetooth® Low Energy Audio devices, i.e. to enhance audio quality, reduce latency, and improve power efficiency for supported devices.

Copilot Pinned To The Taskbar 

Microsoft has also said that in response to feedback from users, the update will also mean that Copilot on Windows as an app will be pinned to the taskbar. This means users can get the benefits of a traditional app experience (e.g. it can be resized, moved, and snapped to the window).

More Details To Come 

Microsoft says although Windows Insiders in the Release Preview Channel can install Windows 11, version 24H2 via its “seeker” experience, the rest of us will have to wait for more details in the coming months of the new features and improvements included as part of Windows 11, version 24H2 leading up to general availability.

The Deprecation of VBScript 

One other significant announcement from Microsoft was the sharing of a timeline for the deprecation (phasing out) of Visual Basic Scripting Edition, commonly referred to as VBScript. Last October, Microsoft announced that VBScript, first introduced in 1996, would be gradually deprecated.

The latest timeline news is that beginning with the new OS release later this year, VBScript will be available as features on demand (FODs). Microsoft says the feature will finally be completely retired from future Windows OS releases “as we transition to the more efficient PowerShell experiences.”  A diagram of the timeline states that VBScript FODs will be completely disabled by default in 2027.

Why Is VBScript Going? 

Microsoft says VBScript (VBS) is finally going because there are more versatile scripting languages (e.g. JavaScript and PowerShell) that offer “broader capabilities and are better suited for modern web development and automation tasks.” 

However, it should also be noted that VBS was a popular tool for cyber-criminals and the fact that VBScript was integrated into the Windows environment meant that it could be exploited to create VBS malware. For example, the highly destructive “ILOVEYOU” worm (2000) was VBS malware. Increased security by closing another door for cyber-criminals is apparently therefore another reason why Microsoft’s getting rid of VBS.

What Does This Mean For Your Business? 

The forthcoming Windows 11 24H2 update looks like it will bring several key benefits for UK businesses, promising to enhance productivity, security, and overall user experience. Key improvements, such as support for HDR backgrounds, energy-saving features, and the integration of Sudo for Windows and Rust in the Windows kernel, will provide businesses with more robust and efficient systems. The introduction of support for Wi-Fi 7 and improved voice clarity may also enhance connectivity and communication within the workplace, which would be helpful for maintaining seamless operations in today’s ‘digital-first’ business environment.

Also, the update’s enhancements for Bluetooth Low Energy Audio devices could be particularly advantageous for businesses relying on audio devices for communication and collaboration.

The news of the inclusion of a scrollable quick settings flyout and the ability to create 7-Zip and TAR archives directly in File Explorer may simplify business file management and streamline workflows. Such improvements could help make everyday tasks more intuitive and less time-consuming, allowing employees to focus on more critical business activities.

However, it’s worth noting for balance that, as with other updates, some businesses may face compatibility issues with legacy systems or software that has not yet been optimised for the new features. There may also be a learning curve associated with the new functionalities, i.e. perhaps requiring additional training time to fully utilise the update’s benefits.

As for the deprecation of VBScript, considering how long it’s been around, the timeline for its demise marks a significant shift for businesses still relying on this scripting language. While moving to more modern and secure scripting languages like PowerShell and JavaScript offers improved capabilities and security, the transition may necessitate some adjustments. Businesses may need to update or replace legacy systems and scripts that depend on VBScript, which could involve some time and resource investments.

On the positive side, phasing out VBScript should reduce some Windows security risks, as VBS has historically been exploited for malware attacks. The phasing out of VBS, therefore, should enhance the overall security posture of Windows environments, thereby helping businesses protect their data and operations from cyber threats.

In summary, while the Windows 11 24H2 update promises enhancements that can drive efficiency and security, businesses must prepare for potential compatibility issues and the need to transition away from VBScript. Armed with this knowledge, proactive planning for the changes can help UK businesses to maximise the benefits of the new update and maintain a secure, modern, and efficient IT environment.

After an Ofcom investigation that found BT didn’t give clear and simple information to customers who signed up to deal with its subsidiaries EE and Plusnet, BT has been told it must refund early exit fees and let existing affected customers walk away penalty-free.

What Happened? 

Under new consumer protection rules, known as ‘General Conditions’ (GCs), that came into force in June 2022, phone and broadband companies, of which BT is both, must give consumers and small businesses the details of a contract, as well as a summary of its key terms, before they sign up. These details must include the price, the length of the contract, the speed of the service, and any early exit fees.

UK Telecoms regulator, Ofcom, says that it opened an investigation into BT after it received information that two of BT’s wholly-owned subsidiaries, EE and Plusnet, may not have been providing the required documents to some customers.

The Findings 

Ofcom says its investigation revealed that since the introduction of the new rules on 17 June 2022, EE and Plusnet made more than 1.3 million sales without providing customers with the required contract summary and information documents. Ofcom found evidence that 1.1 million customers were affected by this between 26 June and 30 September 2023, i.e. they were not given contract information before they signed up as is required under the new rules.

Other key findings by Ofcom were that:

– Despite telling Ofcom in February 2022 that it was confident the deadline to meet the new rules would be met, evidence showed that BT knew as early as January 2022 that some of its sales channels would not meet the deadline.

– In some cases, BT deliberately chose not to comply with the rules on time.

– Ofcom says that whereas other providers dedicated the resources required to meet the implementation deadline for the new rules, BT may have saved costs by not doing so.

– Some sales channels are still non-compliant, and BT is still not providing the required information at the right time to some customers.

The Outcome 

The outcome of Ofcom’s findings in this case are that:

– Ofcom has issued a £2.8 million fine to BT, although this includes a 30 per cent discount as a result of BT’s admission of liability and its completion of Ofcom’s settlement process.

– The 1.1 million customers affected have been given the opportunity to request the information and/or cancel their contract without charge.

– For those customers who left BT before the end of their contract and were charged an early exit fee, BT must refund those early exit fees, and let existing affected customers walk away penalty-free.

Other Action 

Other actions that BT has been instructed to take by Ofcom in relation to this case include:

– Identifying and refunding any affected customers who may have been charged for leaving before the end of their contract period, within five months of Ofcom’s decision.

– Within three months, contacting the remaining affected customers who are still with BT and have not already been contacted, to offer them their contract information and/or the right to cancel their contract without charge.

– Amending remaining sales processes that are still non-compliant within three months of Ofcom’s decision.

Unacceptable 

Ofcom’s Enforcement Director, Ian Strawhorne, said: “When we strengthened our rules to make it easier for consumers to compare deals, we gave providers a strict timeline by which to implement them. It’s unacceptable that BT couldn’t get its act together in time, and the company must now pay a penalty for its failings.”  

Also, Rocio Concha, Director of Policy and Advocacy for consumer organisation ‘Which?’ said: “It’s absolutely right that Ofcom is fining BT for not providing EE and Plusnet customers with clear contract information before they signed up – as some people will have been hit with pricey exit fees they never should have faced.” 

What Does BT Say? 

BT has been reported as saying that it is sorry, will “implement the remedial actions” required by Ofcom and has “taken steps to proactively contact affected customers and arrange for them to receive the information and be refunded where applicable.” 

What Does This Mean For Your Business? 

Ofcom’s ruling against BT is a reminder to telecoms companies and service providers about the importance of compliance with the latest regulatory requirements. For BT, this incident highlights the critical need for transparency and accountability in customer communications, especially in a competitive market where trust is paramount. The £2.8 million fine (which some commentators say should have been higher) and the mandated refunds are examples of the financial and reputational risks associated with non-compliance.

For other providers, this case is a cautionary tale that emphasises the need to adhere to consumer protection rules and the potential consequences of failing to do so. It also shows that companies that decide to push boundaries in their marketing campaigns must think more carefully about these strategies, ensuring that their promotional activities do not leave customers in the dark about what they are signing up for. In an industry where bundling services into complex contracts is common, maintaining clarity and simplicity within customer interactions is still essential to avoid regulatory scrutiny and potential penalties.

For customers, this case may see them benefit (a little) from increased regulatory oversight and assurances that providers must comply with clear guidelines, thereby helping them make more informed decisions about their service contracts. Also, the knowledge that you can exit contracts without penalty in cases of non-compliance should be reassuring and help consumers from being unfairly trapped in agreements they did not fully understand.